VOIP.MS DDOS 7 Day outage dump them? is this normal in the industry

Personally I find using the internet to make phone calls is quite effective. But if you are obdurate as to any prophylaxis for ‘the common cold’ then rock on . .

I don’t think I’m being stubborn about anything. I’m just saying there’s many routes to the internet from a security perspective. That’s all. As per my expanded response above. Thanks shoving me into your specific box though. Much appreciated. I can see you feverishly replying. Jesus Christ in a chicken basket.

Just run sngrep and filter for invites only, prepare to be surprised, . . they are out to get you . . ,

1 Like

I’m sure they are! :wink: You’re not really paranoid if they really are out to get you. Once again not sure how I ever have you the bloody impression, that I was saying they are not trying 24/7, I’m just saying I don’t sit there with my @SS out saying, “Come on in!” In fact, I didn’t tell you where my @SS was at all. :wink:

Then you have everything covered and don’t need to do anything more. (would i be right in thinking your ssh server listens on port 22 also ?)

No, that would be your assumption. Sigh. Which there seems to be many of since you’ve chosen to fight a battle, that does not exist, with me. And once again, assumptions on both. Hence my expanded responses. Maybe I could assume the same and assume it’s the reason you’re so defensive and on the offensive. Maybe this is coming form some kind of other experience today. Which I care not to make any assumptions on. I’ll provide you with the benefit and open-mindedness you’ve not provided me. I’m sure you’ll get ready to fire and ask ask questions later again. Yep, here we go.

I only accept SIP conversations with a well formed cert using TLS , try it. Accepting udp:5060 will get your ass bit sooner or later

Thanks for the advice. Once again you’re making assumptions. No one said that wasn’t the case. I was making conversation about VOIP.MS while assuming nothing about their security, for some reason, that lit a fire. And an Assumption when I didn’t disclose. There’s no fire here. And here we go again.

This website shows that the hackers Bitcoin address did not receive anything


Some POPs are now operational

No assumption, but hard to guage in your refusal to be specific, if your happy with your security measures, then via con dios.

That’s good news. I’m glad they’re getting it worked out. Thanks for changing the conversation back to this. Much appreciated.

@dicko. Thanks.

Cloudflare is quite effective in keeping the website up might be a little slow but better than nothing

Right now I’m not sure if the reason why some of the POPs are working now is because the attack is slowing down or they actually implemented something they are not to transparent I don’t know in a few hours the attack might start up again, the POPs IPs have not changed,
I’m waiting for the full report

I’m just going to say this for clarity and context.

Not listening on UDP:5060 can stop some things but this isn’t 2005, bad actors aren’t just scanning standard/known ports for SIP. They are scanning all the ports for SIP because after 15 years of “use something other than UDP:5060” has caught up along with the fact that scanning ports in 2021 is no longer as intensive as it used to be back in the day. I setup a honey pot of various ports like 5160, 5080, 5082, 5180, etc. etc. and guess what? ALL HAVE BEEN HIT.

Also, in regards to the context of this subject matter, this is a DDoS attack. Something designed to hit you so hard, so much and so fast that your systems can’t handle it and services are brought to a halt. You know what can be DDoS’d? TLS and TCP connections. In fact those are generally two of the ways things are DDoS’d to begin with.

So listening or not listening on UDP:5060, using TLS/TCP or not for your SIP connections has no real bearing on stopping a DDoS attack that doesn’t actually care about those things just that they are hammering you so hard your system can’t do what it should be doing.


Thread locked after multiple flagged posts. Feel free to flag this post or PM me if you disagree.

edit - Thread unlocked.

1 Like

@BlazeStudios, Absolutely correct. Even if you’re dropping traffic on an edge device interface(s), the goal is to throw so much traffic at the security engine, whether that rule be geo denial, ip denial or snort/layer 7 behaviour rules that the engine and its resources such as memory or cpu on that security device or cluster security device gets overwhelmed slowing down the processing of regular accepted traffic as well on the interface(s) because it’s working so hard to drop that denied traffic based on the defined rules. Eventually resource needed outweighs actual system resources. And services and traffic grind to a halt, as the edge device struggles to do its job under the weight of the attack. They’re consecutively hammering ALL ports not caring what is there, the goal is to create as much disruption and traffic as possible. The port or service doesn’t matter at that point, they’re aiming to overwhelm the system and its function effecting all servers and systems behind the security wall. They want to choke off the pipe(s).